Hacking at the Hackfest

Hello once again XiVO followers ! What's this ? My first blog post has
barely been published and i've already written a second one ! But this
time, i'll be writing about something that will be more interesting for
1337 h@X0r\$ and the like: the Hackfest !

Hackfest ? What's a Hackfest ?

The Hackfest is one of the biggest
events about computer security in the province of Quebec. This year,
more than 400 participants were treated to 2 days full of conferences
and hacking games like Lockpicking, Cyber warfare and Capture The Flag.

XiVO also participated in the Hackfest by giving a conference and
organising the XiVO pwn2own hacking game.

What kind of conference ?

We gave a conference about the security and future of free
telecommunications, the slides are available in attachment of this post.
The conference was supposed to be given by our colleague Nicolas
Bouliane,
but unfortunately, he got sick a few days before the event. Me and my
SCRUM master gave the talk instead. Here's a picture of us during the
conference. As you can see, the room was pretty full !

What about the pwn2own ?

Hackers were given 48 hours to try and hack a standard XiVO server and
find the most exploits possible. As the game went on, clues were given
out through our twitter feed.

Once a hacker found an exploit, he could submit it to our scoreboard to
win points. At the end of the game, the top 3 teams with the most points
won cash prizes. Here's a screenshot of the scoreboard at the end of the
game.

So what happened ? Did you get hacked ?!

Yes ! As you can see from the scoreboard, 3 teams were able to find
quite a few exploits in XiVO. What surprised us most was the number of
hacks that were found on the web interface. Since XiVO is first and
foremost a telephony system, we thought that the hackers would
concentrate on hacking the telephone services (For example, control SIP
accounts, create fake telephones through the Provisionning service, DDoS
the Asterisk server) After all, the web interface is only used for
administrative purposes and isn't a critical piece of the XiVO server.
Instead, we got a total of 10 web exploits and only 1 telephone exploit.

What happens now ?

The XiVO dev team is working on fixing all the exploits found during the
pwn2own. The fixes will be released in version 12.22 at the end of next
week.

All in all, we had great fun participating in the Hackfest. We're
already thinking about how we can make the game more exciting next year,
like how to encourage people to go explore more of XiVO's telephony
services.

Thanks again to the 3 teams who participated in XIVO's pwn2own
(RingZer0, Abed&Francis and Bitducks). We look forward to more hacking
next year !